cancel
Showing results for 
Search instead for 
Did you mean: 

Lack of security

N/A

Lack of security

Hi,

From a discussion on the CGI forum (subject '.php pages') it seems there is a glaring security hole in php scripts, such that if you are using php to access a mySQL db (ie most of us) then any other user can read your files, including your db password. This means they can mess up or delete _all_ your data.

I am posting here, as PlusNet support seem to ignore the CGI forum. As a developer, I want to provide sites for my clients, at least in prototype form before moving to their own hosting. Even if it were only for my own stuff, I could not accept such an insecure setup.

Can we have some response from PlusNet please? What do other users think?

Regards,
Ranjit.
2 REPLIES
N/A

RE: Lack of security

Good afternoon,
I'll address your points in turn:
> From a discussion on the CGI forum (subject '.php pages') it seems there is a glaring security hole in php scripts, such that if you are using php to access a mySQL db (ie most of us) then any other user can read your files, including your db password. This means they can mess up or delete _all_ your data.
As has been posted before, we have to strike a balance between usability and security. You'll find some places on the CGI platform that would not be considered secure in comparison with our main webserving platform.
Your comments have been taken on board, however -- we do value your feedback and suggestions for improvements to the service are taken on board.
> I am posting here, as PlusNet support seem to ignore the CGI forum. As a developer, I want to provide sites for my clients, at least in prototype form before moving to their own hosting. Even if it were only for my own stuff, I could not accept such an insecure setup.
Customer Support only monitor this forum, not the others, hence the other thread has not received a support reply. Personally, I use the CGI platform for a lot of my own work, but as with all CGI platforms I understand the limitations of security on such a platform and take this into consideration when working with them.
Regards,
Mike
--
| Mike Grice Unmetered & ADSL solutions
| Technical Support for Home & Business
| PlusNet Technologies Ltd. @ http://www.plus.net
+ ----- My Referrals - It pays to recommend PlusNet -----
N/A

RE: Lack of security

> Good afternoon,
All right?
>
> I'll address your points in turn:
>
And I yours.

> > From a discussion on the CGI forum (subject '.php pages') it seems there is a glaring security hole in php scripts, such that if you are using php to access a mySQL db (ie most of us) then any other user can read your files, including your db password. This means they can mess up or delete _all_ your data.
>
> As has been posted before, we have to strike a balance between usability and security. You'll find some places on the CGI platform that would not be considered secure in comparison with our main webserving platform.
>

Look, no offence, but PHP does not need to run on a CGI server, as I'm sure loads of your users have pointed out. It actually makes more sense for it to be compiled as an Apache module, both in terms of security and performance.

Your setup actually gives worse security _and_ worse usability than the standard ISP setup. Firstly it's insecure, as outlined, and secondly it's a real pain having to link php pages from a different server, and means for example that php scripts cannot access your main webpages.

How exactly have you improved usability by sacrificing security? Seems to me you have the worst of both.

I also feel it's a bit lame just to say "some places on the CGI platform that would not be considered secure in comparison with our main webserving platform." Is that your attitude to securing your customers' data?

Furthermore, how come you can secure individual directories on the webserver and not on the CGI servers? Is that really beyond the combined PlusNet expertise?

(And please don't say that would break scripts- the only scripts it would break are those which read other users' directories, ie illegal ones.)

> Your comments have been taken on board, however -- we do value your feedback and suggestions for improvements to the service are taken on board.
>
Well, you say that, but according to the CGI forum, PlusNet have been promising to upgrade PHP from the current 4.06 (it's now on 4.3) since last summer.

Further, these points about security have also been made to yourselves over a period of more than a year, and yet nothing has been done.

Taking stuff on board is all well and good, but if you don't actually do anything, it's not much cop, is it?

> > I am posting here, as PlusNet support seem to ignore the CGI forum. As a developer, I want to provide sites for my clients, at least in prototype form before moving to their own hosting. Even if it were only for my own stuff, I could not accept such an insecure setup.
>
> Customer Support only monitor this forum, not the others, hence the other thread has not received a support reply.

Fair enough, although I would say that properly knowledgeable support staff should also contribute to the other forums, or at least look at discussions that have more than, say, 10 replies.

>Personally, I use the CGI platform for a lot of my own work, but as with all CGI platforms I understand the limitations of security on such a platform and take this into consideration when working with them.
>
Well, that's a subtle put-down. But I think if one looks at the points above, you don't really know what you're talking about.

> Regards,
> Mike
>
The overall point remains: why are PlusNet incapable of securing their CGI server in the same way that they do their webserver?

More interestingly, why do PlusNet find it so hard to take on user comments and actually apply them to improve their offering? As noted, PlusNet have been aware of this issue, and the general usability problem, for a _long_ time.

Regards,
Ranjit.

PS: People who ask difficult questions force you to improve your thinking. So please bear with your users, as they bear with you.